cancel
Showing results for 
Search instead for 
Did you mean: 

Limitations of using CUA with GRC

Former Member
0 Kudos

Hi ,

I have read SAP note 1099011 about the limitations of using CUA with GRC products. Specifically the areas that concern me are that fact that profiles cannot be provisioned in CUP via a CUA system. Does anyone know a workaround for this or does it just mean that you cannot use CUP for assigning profiles if you have CUA?

Also if using CUA, risk terminator cannot be used to stop assignment of roles and users with SoD conflicts. Does this mean that risk analysis will not run if you provision via CUA without using CUP?

I am wondering if all of this sap note is still up to date or if some of these limitations are no longer applicable?

Thanks,

Niamh

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Niamh,

Here is my response to your questions:

Does anyone know a workaround for this or does it just mean that you cannot use CUP for assigning profiles if you have CUA?

This was not working in 5.2 and I have not tried this in 5.3. All of my customers on 5.3 don't use profiles so I won't be able to test this feature. Why do you still assign profiles to users?

Also if using CUA, risk terminator cannot be used to stop assignment of roles and users with SoD conflicts. Does this mean that risk analysis will not run if you provision via CUA without using CUP?

No, the risk analysis will work without any issues. Risk terminator is a small piece of functionality which is part of RAR. If turned on, it won't allow you to assign roles or user with SoD violations. RAR is detective and risk terminator acts as preventive solution.

Alpesh

Former Member
0 Kudos

Thanks Alpesh,

I dont understand about risk terminator then. It says in th sap note that if you assign roles via CUA, risk terminator will not flag SoS violations because you are not doing this via SU01 etc. Is this not correct or have you been able to get around this somehow?

Regards,

Niamh

Former Member
0 Kudos

Niamh,

Risk Analysis (RAR) piece is detective and risk terminator acts as preventive solution. Do you know what this means? This means that you will have to run risk analysis and find out SoD violations. It will not stop you from assigning roles to the users even though there are violations. If you have risk terminator (RT) turned on, it will stop you from assigning roles to the users if there are violations. RT internally runs risk analysis and checks for SoD.

Also, try to read more about RT in config guide and at help.sap.com.

Alpesh

Former Member
0 Kudos

Hi Alpesh,

I have used both tools and understand what they both do. What I am asking if if this limitation 1 described in SAP note 1099011 still applys

1. In Access Control 5.2 and 5.3, Risk Terminator, which is a sub-application of Virsa Compliance Calibrator does not interact with CUA systems. If CUA is used for provisioning, Risk Terminator cannot be used to stop assignment of roles which create conflicts.

Thanks,

Niamh

Former Member
0 Kudos

Yes.